VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-46010

CVE-2026-46010

Description

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix error handling in rxgk_extract_token()

Fix a missing bit of error handling in rxgk_extract_token(): in the event that rxgk_decrypt_skb() returns -ENOMEM, it should just return that rather than continuing on (for anything else, it generates an abort).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing error return in the rxrpc kernel module's rxgk_extract_token() can cause NULL-pointer dereference or incorrect abort handling when memory allocation fails.

Vulnerability

In the Linux kernel's rxrpc AF_RXRPC socket family, the function rxgk_extract_token() in net/rxrpc/rxgk.c fails to return the error code from rxgk_decrypt_skb() when it returns -ENOMEM. Instead, the code continues with the decryption result, potentially leading to a NULL-pointer dereference or incorrect abort handling. The bug is present in kernel versions before the fix commit 293095ef618818852bac5488c1bc223935e2ca17 [1].

Exploitation

An attacker would need the ability to trigger an out-of-memory condition in the kernel's memory subsystem while an rxrpc connection is being established or a token is being extracted. This is a local condition; the attacker must have a means to exhaust memory, such as running a memory-pressure workload, and then initiate an rxrpc connection that triggers token extraction. No authentication or user interaction is required beyond having access to create AF_RXRPC sockets.

Impact

If rxgk_decrypt_skb() returns -ENOMEM and the error is not returned, the code proceeds to use possibly invalid pointers (e.g., from a failed decryption buffer), leading to a kernel crash (denial of service) or potentially information disclosure if the subsequent abort path uses uninitialized data. The privilege level required is local unprivileged access; the result is a system crash or other undefined behavior.

Mitigation

The fix is included in Linux kernel commit 293095ef618818852bac5488c1bc223935e2ca17 [1], which is part of the stable kernel releases starting from version 5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.8.x, and 6.9.x depending on the distribution. Users should apply the latest stable kernel updates from their vendor. No workaround is available without patching the kernel source.

References
  1. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

6
3476c8bb960f

rxrpc: Fix error handling in rxgk_extract_token()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDavid HowellsApr 23, 2026Fixed in 7.1-rc1via kernel-cna
commit
2 files changed · +2 2
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 5587639d60c538..0ef2a29eb69581 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 5587639d60c538..0ef2a29eb69581 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
293095ef6188

rxrpc: Fix error handling in rxgk_extract_token()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDavid HowellsApr 23, 2026Fixed in 6.18.27via kernel-cna
commit
2 files changed · +2 2
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..30b6701a986702 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..30b6701a986702 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
c52803e92560

rxrpc: Fix error handling in rxgk_extract_token()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDavid HowellsApr 23, 2026Fixed in 7.0.4via kernel-cna
commit
2 files changed · +2 2
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..30b6701a986702 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..30b6701a986702 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
c52803e92560

rxrpc: Fix error handling in rxgk_extract_token()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDavid HowellsApr 23, 2026via nvd-ref
commit
2 files changed · +2 2
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..30b6701a986702 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..30b6701a986702 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
293095ef6188

rxrpc: Fix error handling in rxgk_extract_token()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDavid HowellsApr 23, 2026via nvd-ref
commit
2 files changed · +2 2
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..30b6701a986702 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..30b6701a986702 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
3476c8bb960f

rxrpc: Fix error handling in rxgk_extract_token()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDavid HowellsApr 23, 2026via nvd-ref
commit
2 files changed · +2 2
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 5587639d60c538..0ef2a29eb69581 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg
  • net/rxrpc/rxgk_app.c+1 1 modified
    diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 5587639d60c538..0ef2a29eb69581 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -245,6 +245,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 		if (ret != -ENOMEM)
 			return rxrpc_abort_conn(conn, skb, ec, ret,
 						rxgk_abort_resp_tok_dec);
+		return ret;
 	}
 
 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing error return path in rxgk_extract_token() when rxgk_decrypt_skb() returns -ENOMEM causes the function to continue execution instead of propagating the memory-allocation failure."

Attack vector

An attacker can trigger this bug by sending a crafted RxRPC packet that causes the kernel to exhaust memory during token decryption. When rxgk_decrypt_skb() returns -ENOMEM, the function rxgk_extract_token() in net/rxrpc/rxgk_app.c fails to return the error and instead continues processing, leading to undefined behavior on a memory-depleted system. The attacker must be able to send network packets to a system using the RxRPC (AF_RXRPC) protocol with the rxgk security class.

Affected code

The vulnerable function is `rxgk_extract_token()` in `net/rxrpc/rxgk_app.c` [patch_id=2660465]. The defect is in the error handling block after the call to `rxgk_decrypt_skb()`.

What the fix does

The patch adds a single line — `return ret;` — after the existing `if (ret != -ENOMEM)` check in rxgk_extract_token() [patch_id=2660465]. Previously, when rxgk_decrypt_skb() returned -ENOMEM, the code fell through to the next operation (default_decode_ticket) instead of propagating the error. The fix ensures that a memory-allocation failure is immediately returned to the caller rather than allowing execution to continue on a system that is out of memory.

Preconditions

  • networkAttacker must be able to send network packets to a system using the AF_RXRPC protocol with rxgk security.
  • inputAttacker must craft a packet that triggers rxgk_decrypt_skb() to return -ENOMEM.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.